Im using ttrss in a docker container (Docker ) behind a proxy (Docker ).
Everything works fine except the remote address at “Failed login attempt” of error.log.
The “Failed login attempt” shows the ip address of internal docker network, for example 172.18.0.3.
Here I want to see the remote address to get fail2ban working.
Changing the ngnix access_log log format, helps to get correct remote addresses in the access.log but not at the error.log.
There is no option to set the ngnix error_log log format.
Because the error log entry of “Failed login attempt” is from tt-rss, I think only tt-rss can set the correct remote address?
Please help me to get fail2ban working.
fox
December 8, 2018, 2:21pm
2
you’re right, tt-rss shows $_SERVER['REMOTE_ADDR'] which wouldn’t be correct for a remote proxy, it should probably also log X-Forwarded-For and X-Real-IP if those are set.
@fox
t7r5s
December 8, 2018, 5:29pm
4
I’m far from an expert so open to be “foxed”
http://nginx.org/en/docs/http/ngx_http_realip_module.html
My tt-rss is behind nginx and traefik, both protect the source IP correctly.
I feel like this is the real solution because it actually handles the issue at the proper level of the stack.
(At the same time would it hurt to add a get_client_real_ip() function to pick the correct value? I don’t know.)
fox
December 9, 2018, 3:34am
6
more like get_client_maybe_real_ip()
@t7r5s , thank you for bringing me in the right direction.
Just for notice (it can help others that run in the same problem):
For nginx:
Load realip modul (Module ngx_http_realip_module )
Set following configuration:
set_real_ip_from traefik; #DNS-Name/Proxy ip addres or network subnet address
real_ip_header X-Forwarded-For;
For apache:
but I spent some time looking at this last year, I originally updated the source to coerce this to work but a cleaner solution that didnt require hacking around in the code was to configure nginx’s realip module which has worked fine for the last 8 months or so.